The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:

  • An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
  • An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
  • A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.

OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.

Our colleagues have written about other HHS guidance on preventing information blocking and potential enforcement risks in prior blog posts and alerts, including:

Together, these HHS statements emphasize that business arrangements regarding health information technology and exchange of health information may not block the appropriate flow of health information and that doing so result in multiple enforcement risks for all parties involved.

HHS has signaled its focus on scrutinizing potential barriers to the appropriate access and exchange of PHI among providers. As a result, parties to arrangements involving the provision of EHRs or the exchange of PHI must examine their contracts and BAAs to ensure that they comply with HIPAA and other laws such as those governing fraud and abuse.